diff --git a/generated/1.26/apis/go.mod b/generated/1.26/apis/go.mod index 5211f44e3..08a741d41 100644 --- a/generated/1.26/apis/go.mod +++ b/generated/1.26/apis/go.mod @@ -4,6 +4,6 @@ module go.pinniped.dev/generated/1.26/apis go 1.13 require ( - k8s.io/api v0.26.14 - k8s.io/apimachinery v0.26.14 + k8s.io/api v0.26.15 + k8s.io/apimachinery v0.26.15 ) diff --git a/generated/1.26/apis/go.sum b/generated/1.26/apis/go.sum index 9a1520dc0..61f72ef0a 100644 --- a/generated/1.26/apis/go.sum +++ b/generated/1.26/apis/go.sum @@ -47,7 +47,7 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -255,7 +255,7 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -278,10 +278,10 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.26.14 h1:r+gEQ9L08uPAITk9gVwDJ6ErMuvZ79tgVoQFvyxaESQ= -k8s.io/api v0.26.14/go.mod h1:OXHRNHZUItD1Oun/DnrHirVrnVCOPyybHNTI6sBcDRs= -k8s.io/apimachinery v0.26.14 h1:u1s90TEuMBg+0+Q+lABBSKEwqTFYlUW5NJyD/YXqSZ0= -k8s.io/apimachinery v0.26.14/go.mod h1:2/HZp0l6coXtS26du1Bk36fCuAEr/lVs9Q9NbpBtd1Y= +k8s.io/api v0.26.15 h1:tjMERUjIwkq+2UtPZL5ZbSsLkpxUv4gXWZfV5lQl+Og= +k8s.io/api v0.26.15/go.mod h1:CtWOrFl8VLCTLolRlhbBxo4fy83tjCLEtYa5pMubIe0= +k8s.io/apimachinery v0.26.15 h1:GPxeERYBSqSZlj3xIkX4L6mBjzZ9q8JPnJ+Vj15qe+g= +k8s.io/apimachinery v0.26.15/go.mod h1:O/uIhIOWuy6ndHqQ6qbkjD7OgeMhVtlk8+Z66ZcmJQc= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= diff --git a/generated/1.26/client/go.mod b/generated/1.26/client/go.mod index 266b3d3e0..f25930ebc 100644 --- a/generated/1.26/client/go.mod +++ b/generated/1.26/client/go.mod @@ -7,7 +7,7 @@ replace go.pinniped.dev/generated/1.26/apis => ../apis require ( go.pinniped.dev/generated/1.26/apis v0.0.0 - k8s.io/apimachinery v0.26.14 - k8s.io/client-go v0.26.14 + k8s.io/apimachinery v0.26.15 + k8s.io/client-go v0.26.15 k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 ) diff --git a/generated/1.26/client/go.sum b/generated/1.26/client/go.sum index 28d662555..a249f9c5f 100644 --- a/generated/1.26/client/go.sum +++ b/generated/1.26/client/go.sum @@ -58,8 +58,8 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= @@ -296,8 +296,8 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -320,12 +320,12 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.26.14 h1:r+gEQ9L08uPAITk9gVwDJ6ErMuvZ79tgVoQFvyxaESQ= -k8s.io/api v0.26.14/go.mod h1:OXHRNHZUItD1Oun/DnrHirVrnVCOPyybHNTI6sBcDRs= -k8s.io/apimachinery v0.26.14 h1:u1s90TEuMBg+0+Q+lABBSKEwqTFYlUW5NJyD/YXqSZ0= -k8s.io/apimachinery v0.26.14/go.mod h1:2/HZp0l6coXtS26du1Bk36fCuAEr/lVs9Q9NbpBtd1Y= -k8s.io/client-go v0.26.14 h1:pPtDTiRTYu2M2zjHLEH7p6oWI++mGZq/2ZT0893poTE= -k8s.io/client-go v0.26.14/go.mod h1:yaORlvYE4xtoA0SkpIBZIdoTi1FiQQHVIbD58xB1824= +k8s.io/api v0.26.15 h1:tjMERUjIwkq+2UtPZL5ZbSsLkpxUv4gXWZfV5lQl+Og= +k8s.io/api v0.26.15/go.mod h1:CtWOrFl8VLCTLolRlhbBxo4fy83tjCLEtYa5pMubIe0= +k8s.io/apimachinery v0.26.15 h1:GPxeERYBSqSZlj3xIkX4L6mBjzZ9q8JPnJ+Vj15qe+g= +k8s.io/apimachinery v0.26.15/go.mod h1:O/uIhIOWuy6ndHqQ6qbkjD7OgeMhVtlk8+Z66ZcmJQc= +k8s.io/client-go v0.26.15 h1:A2Yav2v+VZQfpEsf5ESFp2Lqq5XACKBDrwkG+jEtOg0= +k8s.io/client-go v0.26.15/go.mod h1:KJs7snLEyKPlypqTQG/ngcaqE6h3/6qTvVHDViRL+iI= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= diff --git a/generated/1.27/apis/go.mod b/generated/1.27/apis/go.mod index a5f3d13a4..0bb4f37e3 100644 --- a/generated/1.27/apis/go.mod +++ b/generated/1.27/apis/go.mod @@ -4,6 +4,6 @@ module go.pinniped.dev/generated/1.27/apis go 1.13 require ( - k8s.io/api v0.27.11 - k8s.io/apimachinery v0.27.11 + k8s.io/api v0.27.13 + k8s.io/apimachinery v0.27.13 ) diff --git a/generated/1.27/apis/go.sum b/generated/1.27/apis/go.sum index cdbe47d0a..be2030f55 100644 --- a/generated/1.27/apis/go.sum +++ b/generated/1.27/apis/go.sum @@ -44,6 +44,7 @@ github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -146,6 +147,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= @@ -186,8 +189,10 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= -golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= +golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= +golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -228,6 +233,8 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -239,6 +246,8 @@ golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -298,7 +307,7 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -321,10 +330,10 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.27.11 h1:IsGrWbXt7RkE+arc9GLQPYI5AtZkT+feBMorY+Nzx4I= -k8s.io/api v0.27.11/go.mod h1:SGqTcyqa0e+Db3pgyH6v+por5dO2OdTkKDCdD3Op3Ng= -k8s.io/apimachinery v0.27.11 h1:ivrKMN7JgdtKhay14S5UQlvilV3z6W+wjiSQTzyr5zc= -k8s.io/apimachinery v0.27.11/go.mod h1:IHu2ovJ60RqxyPSLmTel7KDLdOCRbpOxwtUBmwBnT/E= +k8s.io/api v0.27.13 h1:d49LYs1dh+JMMDNYQSu8FhEzCjc2TNpYvDWoSGAKs80= +k8s.io/api v0.27.13/go.mod h1:W3lYMPs34i0XQA+cmKfejve+HwbRZjy67fL05RyJUTo= +k8s.io/apimachinery v0.27.13 h1:xDAnOWaRVNSkaKdfB0Ab11hixH90KGTbLwEHMloMjFM= +k8s.io/apimachinery v0.27.13/go.mod h1:TWo+8wOIz3CytsrlI9k/LBWXLRr9dqf5hRSCbbggMAg= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= diff --git a/generated/1.27/client/go.mod b/generated/1.27/client/go.mod index e05db44ed..2f809619a 100644 --- a/generated/1.27/client/go.mod +++ b/generated/1.27/client/go.mod @@ -7,7 +7,7 @@ replace go.pinniped.dev/generated/1.27/apis => ../apis require ( go.pinniped.dev/generated/1.27/apis v0.0.0 - k8s.io/apimachinery v0.27.11 - k8s.io/client-go v0.27.11 + k8s.io/apimachinery v0.27.13 + k8s.io/client-go v0.27.13 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f ) diff --git a/generated/1.27/client/go.sum b/generated/1.27/client/go.sum index a3f41f664..dbfca3259 100644 --- a/generated/1.27/client/go.sum +++ b/generated/1.27/client/go.sum @@ -53,8 +53,9 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= @@ -172,6 +173,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= @@ -214,8 +217,10 @@ golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= -golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= +golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= +golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g= golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4= @@ -258,8 +263,10 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -271,8 +278,10 @@ golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= -golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -337,8 +346,8 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -361,12 +370,12 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.27.11 h1:IsGrWbXt7RkE+arc9GLQPYI5AtZkT+feBMorY+Nzx4I= -k8s.io/api v0.27.11/go.mod h1:SGqTcyqa0e+Db3pgyH6v+por5dO2OdTkKDCdD3Op3Ng= -k8s.io/apimachinery v0.27.11 h1:ivrKMN7JgdtKhay14S5UQlvilV3z6W+wjiSQTzyr5zc= -k8s.io/apimachinery v0.27.11/go.mod h1:IHu2ovJ60RqxyPSLmTel7KDLdOCRbpOxwtUBmwBnT/E= -k8s.io/client-go v0.27.11 h1:SZChXsDaN6lB5IYywCpvQs/ZUa5vK2NHkpEwUhoK3fQ= -k8s.io/client-go v0.27.11/go.mod h1:Rg3Yeuk9sX87gpVunVn3AsvMkGZfXuutTDC/jigBNUo= +k8s.io/api v0.27.13 h1:d49LYs1dh+JMMDNYQSu8FhEzCjc2TNpYvDWoSGAKs80= +k8s.io/api v0.27.13/go.mod h1:W3lYMPs34i0XQA+cmKfejve+HwbRZjy67fL05RyJUTo= +k8s.io/apimachinery v0.27.13 h1:xDAnOWaRVNSkaKdfB0Ab11hixH90KGTbLwEHMloMjFM= +k8s.io/apimachinery v0.27.13/go.mod h1:TWo+8wOIz3CytsrlI9k/LBWXLRr9dqf5hRSCbbggMAg= +k8s.io/client-go v0.27.13 h1:SfUbIukb6BSqaadlYRX0AzMoN6+e+9FZGEKqfisidho= +k8s.io/client-go v0.27.13/go.mod h1:I9SBaI28r6ii465Fb0dTpf5O3adOnDwNBoeqlDNbbFg= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= diff --git a/generated/1.28/apis/go.mod b/generated/1.28/apis/go.mod index 3f4e57bf4..67a146a63 100644 --- a/generated/1.28/apis/go.mod +++ b/generated/1.28/apis/go.mod @@ -4,6 +4,6 @@ module go.pinniped.dev/generated/1.28/apis go 1.13 require ( - k8s.io/api v0.28.7 - k8s.io/apimachinery v0.28.7 + k8s.io/api v0.28.9 + k8s.io/apimachinery v0.28.9 ) diff --git a/generated/1.28/apis/go.sum b/generated/1.28/apis/go.sum index d1df0be14..e2914d9e5 100644 --- a/generated/1.28/apis/go.sum +++ b/generated/1.28/apis/go.sum @@ -36,6 +36,7 @@ github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -140,6 +141,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= @@ -173,8 +176,10 @@ golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= -golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= +golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= +golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -213,6 +218,8 @@ golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -225,6 +232,8 @@ golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -269,7 +278,7 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= @@ -288,10 +297,10 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.28.7 h1:YKIhBxjXKaxuxWJnwohV0aGjRA5l4IU0Eywf/q19AVI= -k8s.io/api v0.28.7/go.mod h1:y4RbcjCCMff1930SG/TcP3AUKNfaJUgIeUp58e/2vyY= -k8s.io/apimachinery v0.28.7 h1:2Z38/XRAOcpb+PonxmBEmjG7hBfmmr41xnr0XvpTnB4= -k8s.io/apimachinery v0.28.7/go.mod h1:QFNX/kCl/EMT2WTSz8k4WLCv2XnkOLMaL8GAVRMdpsA= +k8s.io/api v0.28.9 h1:E7VEXXCAlSrp+08zq4zgd+ko6Ttu0Mw+XoXlIkDTVW0= +k8s.io/api v0.28.9/go.mod h1:AnCsDYf3SHjfa8mPG5LGYf+iF4mie+3peLQR51MMCgw= +k8s.io/apimachinery v0.28.9 h1:aXz4Zxsw+Pk4KhBerAtKRxNN1uSMWKfciL/iOdBfXvA= +k8s.io/apimachinery v0.28.9/go.mod h1:zUG757HaKs6Dc3iGtKjzIpBfqTM4yiRsEe3/E7NX15o= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= diff --git a/generated/1.28/client/go.mod b/generated/1.28/client/go.mod index fe709ee85..167f036a3 100644 --- a/generated/1.28/client/go.mod +++ b/generated/1.28/client/go.mod @@ -7,7 +7,7 @@ replace go.pinniped.dev/generated/1.28/apis => ../apis require ( go.pinniped.dev/generated/1.28/apis v0.0.0 - k8s.io/apimachinery v0.28.7 - k8s.io/client-go v0.28.7 + k8s.io/apimachinery v0.28.9 + k8s.io/client-go v0.28.9 k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 ) diff --git a/generated/1.28/client/go.sum b/generated/1.28/client/go.sum index a47c7de3c..1f5edadbd 100644 --- a/generated/1.28/client/go.sum +++ b/generated/1.28/client/go.sum @@ -45,8 +45,9 @@ github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvq github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= @@ -166,6 +167,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= @@ -200,8 +203,10 @@ golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= -golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= +golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= +golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -241,8 +246,10 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -254,8 +261,10 @@ golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= -golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -305,8 +314,8 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= @@ -325,12 +334,12 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.28.7 h1:YKIhBxjXKaxuxWJnwohV0aGjRA5l4IU0Eywf/q19AVI= -k8s.io/api v0.28.7/go.mod h1:y4RbcjCCMff1930SG/TcP3AUKNfaJUgIeUp58e/2vyY= -k8s.io/apimachinery v0.28.7 h1:2Z38/XRAOcpb+PonxmBEmjG7hBfmmr41xnr0XvpTnB4= -k8s.io/apimachinery v0.28.7/go.mod h1:QFNX/kCl/EMT2WTSz8k4WLCv2XnkOLMaL8GAVRMdpsA= -k8s.io/client-go v0.28.7 h1:3L6402+tjmOl8twX3fjUQ/wsYAkw6UlVNDVP+rF6YGA= -k8s.io/client-go v0.28.7/go.mod h1:xIoEaDewZ+EwWOo1/F1t0IOKMPe1rwBZhLu9Es6y0tE= +k8s.io/api v0.28.9 h1:E7VEXXCAlSrp+08zq4zgd+ko6Ttu0Mw+XoXlIkDTVW0= +k8s.io/api v0.28.9/go.mod h1:AnCsDYf3SHjfa8mPG5LGYf+iF4mie+3peLQR51MMCgw= +k8s.io/apimachinery v0.28.9 h1:aXz4Zxsw+Pk4KhBerAtKRxNN1uSMWKfciL/iOdBfXvA= +k8s.io/apimachinery v0.28.9/go.mod h1:zUG757HaKs6Dc3iGtKjzIpBfqTM4yiRsEe3/E7NX15o= +k8s.io/client-go v0.28.9 h1:mmMvejwc/KDjMLmDpyaxkWNzlWRCJ6ht7Qsbsnwn39Y= +k8s.io/client-go v0.28.9/go.mod h1:GFDy3rUNId++WGrr0hRaBrs+y1eZz5JtVZODEalhRMo= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= diff --git a/generated/1.29/apis/go.mod b/generated/1.29/apis/go.mod index 668b6d98b..7d81b6af8 100644 --- a/generated/1.29/apis/go.mod +++ b/generated/1.29/apis/go.mod @@ -4,8 +4,8 @@ module go.pinniped.dev/generated/1.29/apis go 1.21 require ( - k8s.io/api v0.29.2 - k8s.io/apimachinery v0.29.2 + k8s.io/api v0.29.4 + k8s.io/apimachinery v0.29.4 ) require ( @@ -15,7 +15,7 @@ require ( github.com/json-iterator/go v1.1.12 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect - golang.org/x/net v0.19.0 // indirect + golang.org/x/net v0.23.0 // indirect golang.org/x/text v0.14.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/generated/1.29/apis/go.sum b/generated/1.29/apis/go.sum index 5a814a14b..77d507521 100644 --- a/generated/1.29/apis/go.sum +++ b/generated/1.29/apis/go.sum @@ -45,8 +45,8 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= -golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= +golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= +golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -75,10 +75,10 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A= -k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0= -k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8= -k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU= +k8s.io/api v0.29.4 h1:WEnF/XdxuCxdG3ayHNRR8yH3cI1B/llkWBma6bq4R3w= +k8s.io/api v0.29.4/go.mod h1:DetSv0t4FBTcEpfA84NJV3g9a7+rSzlUHk5ADAYHUv0= +k8s.io/apimachinery v0.29.4 h1:RaFdJiDmuKs/8cm1M6Dh1Kvyh59YQFDcFuFTSmXes6Q= +k8s.io/apimachinery v0.29.4/go.mod h1:i3FJVwhvSp/6n8Fl4K97PJEP8C+MM+aoDq4+ZJBf70Y= k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= diff --git a/generated/1.29/client/go.mod b/generated/1.29/client/go.mod index 4ed156917..a7dbf4f5d 100644 --- a/generated/1.29/client/go.mod +++ b/generated/1.29/client/go.mod @@ -7,8 +7,8 @@ replace go.pinniped.dev/generated/1.29/apis => ../apis require ( go.pinniped.dev/generated/1.29/apis v0.0.0 - k8s.io/apimachinery v0.29.2 - k8s.io/client-go v0.29.2 + k8s.io/apimachinery v0.29.4 + k8s.io/client-go v0.29.4 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 ) @@ -21,7 +21,7 @@ require ( github.com/go-openapi/jsonreference v0.20.2 // indirect github.com/go-openapi/swag v0.22.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang/protobuf v1.5.3 // indirect + github.com/golang/protobuf v1.5.4 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect @@ -33,18 +33,18 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pkg/errors v0.9.1 // indirect - golang.org/x/net v0.19.0 // indirect + golang.org/x/net v0.23.0 // indirect golang.org/x/oauth2 v0.10.0 // indirect - golang.org/x/sys v0.15.0 // indirect - golang.org/x/term v0.15.0 // indirect + golang.org/x/sys v0.18.0 // indirect + golang.org/x/term v0.18.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/protobuf v1.31.0 // indirect + google.golang.org/protobuf v1.33.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/api v0.29.2 // indirect + k8s.io/api v0.29.4 // indirect k8s.io/klog/v2 v2.110.1 // indirect k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect diff --git a/generated/1.29/client/go.sum b/generated/1.29/client/go.sum index 6837618be..2e92347b2 100644 --- a/generated/1.29/client/go.sum +++ b/generated/1.29/client/go.sum @@ -19,12 +19,10 @@ github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -90,8 +88,8 @@ golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= -golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= +golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= +golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -100,10 +98,10 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= -golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= -golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -123,10 +121,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= @@ -138,12 +134,12 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A= -k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0= -k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8= -k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU= -k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg= -k8s.io/client-go v0.29.2/go.mod h1:knlvFZE58VpqbQpJNbCbctTVXcd35mMyAAwBdpt4jrA= +k8s.io/api v0.29.4 h1:WEnF/XdxuCxdG3ayHNRR8yH3cI1B/llkWBma6bq4R3w= +k8s.io/api v0.29.4/go.mod h1:DetSv0t4FBTcEpfA84NJV3g9a7+rSzlUHk5ADAYHUv0= +k8s.io/apimachinery v0.29.4 h1:RaFdJiDmuKs/8cm1M6Dh1Kvyh59YQFDcFuFTSmXes6Q= +k8s.io/apimachinery v0.29.4/go.mod h1:i3FJVwhvSp/6n8Fl4K97PJEP8C+MM+aoDq4+ZJBf70Y= +k8s.io/client-go v0.29.4 h1:79ytIedxVfyXV8rpH3jCBW0u+un0fxHDwX5F9K8dPR8= +k8s.io/client-go v0.29.4/go.mod h1:kC1thZQ4zQWYwldsfI088BbK6RkxK+aF5ebV8y9Q4tk= k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= diff --git a/generated/1.30/apis/concierge/authentication/v1alpha1/doc.go b/generated/1.30/apis/concierge/authentication/v1alpha1/doc.go new file mode 100644 index 000000000..d00d3ba60 --- /dev/null +++ b/generated/1.30/apis/concierge/authentication/v1alpha1/doc.go @@ -0,0 +1,10 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:defaulter-gen=TypeMeta +// +groupName=authentication.concierge.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API. +package v1alpha1 diff --git a/generated/1.30/apis/concierge/authentication/v1alpha1/register.go b/generated/1.30/apis/concierge/authentication/v1alpha1/register.go new file mode 100644 index 000000000..f58039e4a --- /dev/null +++ b/generated/1.30/apis/concierge/authentication/v1alpha1/register.go @@ -0,0 +1,45 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "authentication.concierge.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &WebhookAuthenticator{}, + &WebhookAuthenticatorList{}, + &JWTAuthenticator{}, + &JWTAuthenticatorList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.30/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go b/generated/1.30/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go new file mode 100644 index 000000000..f75d50776 --- /dev/null +++ b/generated/1.30/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go @@ -0,0 +1,102 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type JWTAuthenticatorPhase string + +const ( + // JWTAuthenticatorPhasePending is the default phase for newly-created JWTAuthenticator resources. + JWTAuthenticatorPhasePending JWTAuthenticatorPhase = "Pending" + + // JWTAuthenticatorPhaseReady is the phase for an JWTAuthenticator resource in a healthy state. + JWTAuthenticatorPhaseReady JWTAuthenticatorPhase = "Ready" + + // JWTAuthenticatorPhaseError is the phase for an JWTAuthenticator in an unhealthy state. + JWTAuthenticatorPhaseError JWTAuthenticatorPhase = "Error" +) + +// Status of a JWT authenticator. +type JWTAuthenticatorStatus struct { + // Represents the observations of the authenticator's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + // Phase summarizes the overall status of the JWTAuthenticator. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase JWTAuthenticatorPhase `json:"phase,omitempty"` +} + +// Spec for configuring a JWT authenticator. +type JWTAuthenticatorSpec struct { + // Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + // also used to validate the "iss" JWT claim. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^https://` + Issuer string `json:"issuer"` + + // Audience is the required value of the "aud" JWT claim. + // +kubebuilder:validation:MinLength=1 + Audience string `json:"audience"` + + // Claims allows customization of the claims that will be mapped to user identity + // for Kubernetes access. + // +optional + Claims JWTTokenClaims `json:"claims"` + + // TLS configuration for communicating with the OIDC provider. + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// JWTTokenClaims allows customization of the claims that will be mapped to user identity +// for Kubernetes access. +type JWTTokenClaims struct { + // Groups is the name of the claim which should be read to extract the user's + // group membership from the JWT token. When not specified, it will default to "groups". + // +optional + Groups string `json:"groups"` + + // Username is the name of the claim which should be read to extract the + // username from the JWT token. When not specified, it will default to "username". + // +optional + Username string `json:"username"` +} + +// JWTAuthenticator describes the configuration of a JWT authenticator. +// +// Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid +// signature, existence of claims, etc.) and extract the username and groups from the token. +// +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster +// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer` +// +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type JWTAuthenticator struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the authenticator. + Spec JWTAuthenticatorSpec `json:"spec"` + + // Status of the authenticator. + Status JWTAuthenticatorStatus `json:"status,omitempty"` +} + +// List of JWTAuthenticator objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type JWTAuthenticatorList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []JWTAuthenticator `json:"items"` +} diff --git a/generated/1.30/apis/concierge/authentication/v1alpha1/types_tls.go b/generated/1.30/apis/concierge/authentication/v1alpha1/types_tls.go new file mode 100644 index 000000000..12231665d --- /dev/null +++ b/generated/1.30/apis/concierge/authentication/v1alpha1/types_tls.go @@ -0,0 +1,11 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +// Configuration for configuring TLS on various authenticators. +type TLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` +} diff --git a/generated/1.30/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go b/generated/1.30/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go new file mode 100644 index 000000000..cbe3eeeb0 --- /dev/null +++ b/generated/1.30/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go @@ -0,0 +1,73 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type WebhookAuthenticatorPhase string + +const ( + // WebhookAuthenticatorPhasePending is the default phase for newly-created WebhookAuthenticator resources. + WebhookAuthenticatorPhasePending WebhookAuthenticatorPhase = "Pending" + + // WebhookAuthenticatorPhaseReady is the phase for an WebhookAuthenticator resource in a healthy state. + WebhookAuthenticatorPhaseReady WebhookAuthenticatorPhase = "Ready" + + // WebhookAuthenticatorPhaseError is the phase for an WebhookAuthenticator in an unhealthy state. + WebhookAuthenticatorPhaseError WebhookAuthenticatorPhase = "Error" +) + +// Status of a webhook authenticator. +type WebhookAuthenticatorStatus struct { + // Represents the observations of the authenticator's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + // Phase summarizes the overall status of the WebhookAuthenticator. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase WebhookAuthenticatorPhase `json:"phase,omitempty"` +} + +// Spec for configuring a webhook authenticator. +type WebhookAuthenticatorSpec struct { + // Webhook server endpoint URL. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^https://` + Endpoint string `json:"endpoint"` + + // TLS configuration. + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// WebhookAuthenticator describes the configuration of a webhook authenticator. +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster +// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type WebhookAuthenticator struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the authenticator. + Spec WebhookAuthenticatorSpec `json:"spec"` + + // Status of the authenticator. + Status WebhookAuthenticatorStatus `json:"status,omitempty"` +} + +// List of WebhookAuthenticator objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type WebhookAuthenticatorList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []WebhookAuthenticator `json:"items"` +} diff --git a/generated/1.30/apis/concierge/config/v1alpha1/doc.go b/generated/1.30/apis/concierge/config/v1alpha1/doc.go new file mode 100644 index 000000000..97b2f2120 --- /dev/null +++ b/generated/1.30/apis/concierge/config/v1alpha1/doc.go @@ -0,0 +1,10 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:defaulter-gen=TypeMeta +// +groupName=config.concierge.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration API. +package v1alpha1 diff --git a/generated/1.30/apis/concierge/config/v1alpha1/register.go b/generated/1.30/apis/concierge/config/v1alpha1/register.go new file mode 100644 index 000000000..8d799898e --- /dev/null +++ b/generated/1.30/apis/concierge/config/v1alpha1/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "config.concierge.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &CredentialIssuer{}, + &CredentialIssuerList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.30/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.30/apis/concierge/config/v1alpha1/types_credentialissuer.go new file mode 100644 index 000000000..0ee0f0dbf --- /dev/null +++ b/generated/1.30/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -0,0 +1,273 @@ +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// StrategyType enumerates a type of "strategy" used to implement credential access on a cluster. +// +kubebuilder:validation:Enum=KubeClusterSigningCertificate;ImpersonationProxy +type StrategyType string + +// FrontendType enumerates a type of "frontend" used to provide access to users of a cluster. +// +kubebuilder:validation:Enum=TokenCredentialRequestAPI;ImpersonationProxy +type FrontendType string + +// StrategyStatus enumerates whether a strategy is working on a cluster. +// +kubebuilder:validation:Enum=Success;Error +type StrategyStatus string + +// StrategyReason enumerates the detailed reason why a strategy is in a particular status. +// +kubebuilder:validation:Enum=Listening;Pending;Disabled;ErrorDuringSetup;CouldNotFetchKey;CouldNotGetClusterInfo;FetchedKey +type StrategyReason string + +const ( + KubeClusterSigningCertificateStrategyType = StrategyType("KubeClusterSigningCertificate") + ImpersonationProxyStrategyType = StrategyType("ImpersonationProxy") + + TokenCredentialRequestAPIFrontendType = FrontendType("TokenCredentialRequestAPI") + ImpersonationProxyFrontendType = FrontendType("ImpersonationProxy") + + SuccessStrategyStatus = StrategyStatus("Success") + ErrorStrategyStatus = StrategyStatus("Error") + + ListeningStrategyReason = StrategyReason("Listening") + PendingStrategyReason = StrategyReason("Pending") + DisabledStrategyReason = StrategyReason("Disabled") + ErrorDuringSetupStrategyReason = StrategyReason("ErrorDuringSetup") + CouldNotFetchKeyStrategyReason = StrategyReason("CouldNotFetchKey") + CouldNotGetClusterInfoStrategyReason = StrategyReason("CouldNotGetClusterInfo") + FetchedKeyStrategyReason = StrategyReason("FetchedKey") +) + +// CredentialIssuerSpec describes the intended configuration of the Concierge. +type CredentialIssuerSpec struct { + // ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy. + ImpersonationProxy *ImpersonationProxySpec `json:"impersonationProxy"` +} + +// ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy. +// +// +kubebuilder:validation:Enum=auto;enabled;disabled +type ImpersonationProxyMode string + +const ( + // ImpersonationProxyModeDisabled explicitly disables the impersonation proxy. + ImpersonationProxyModeDisabled = ImpersonationProxyMode("disabled") + + // ImpersonationProxyModeEnabled explicitly enables the impersonation proxy. + ImpersonationProxyModeEnabled = ImpersonationProxyMode("enabled") + + // ImpersonationProxyModeAuto enables or disables the impersonation proxy based upon the cluster in which it is running. + ImpersonationProxyModeAuto = ImpersonationProxyMode("auto") +) + +// ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy. +// +// +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None +type ImpersonationProxyServiceType string + +const ( + // ImpersonationProxyServiceTypeLoadBalancer provisions a service of type LoadBalancer. + ImpersonationProxyServiceTypeLoadBalancer = ImpersonationProxyServiceType("LoadBalancer") + + // ImpersonationProxyServiceTypeClusterIP provisions a service of type ClusterIP. + ImpersonationProxyServiceTypeClusterIP = ImpersonationProxyServiceType("ClusterIP") + + // ImpersonationProxyServiceTypeNone does not automatically provision any service. + ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None") +) + +// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should +// serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. +type ImpersonationProxyTLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). + // Used to advertise the CA bundle for the impersonation proxy endpoint. + // + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + + // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + // the TLS serving certificate for the Concierge impersonation proxy endpoint. + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName,omitempty"` +} + +// ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy. +type ImpersonationProxySpec struct { + // Mode configures whether the impersonation proxy should be started: + // - "disabled" explicitly disables the impersonation proxy. This is the default. + // - "enabled" explicitly enables the impersonation proxy. + // - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. + Mode ImpersonationProxyMode `json:"mode"` + + // Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. + // + // +kubebuilder:default:={"type": "LoadBalancer"} + Service ImpersonationProxyServiceSpec `json:"service"` + + // ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + // be served using the external name of the LoadBalancer service or the cluster service DNS name. + // + // This field must be non-empty when spec.impersonationProxy.service.type is "None". + // + // +optional + ExternalEndpoint string `json:"externalEndpoint,omitempty"` + + // TLS contains information about how the Concierge impersonation proxy should serve TLS. + // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // + // +optional + TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` +} + +// ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy. +type ImpersonationProxyServiceSpec struct { + // Type specifies the type of Service to provision for the impersonation proxy. + // + // If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + // value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. + // + // +kubebuilder:default:="LoadBalancer" + Type ImpersonationProxyServiceType `json:"type,omitempty"` + + // LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. + // This is not supported on all cloud providers. + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=255 + // +optional + LoadBalancerIP string `json:"loadBalancerIP,omitempty"` + + // Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service. + // + // +optional + Annotations map[string]string `json:"annotations,omitempty"` +} + +// CredentialIssuerStatus describes the status of the Concierge. +type CredentialIssuerStatus struct { + // List of integration strategies that were attempted by Pinniped. + Strategies []CredentialIssuerStrategy `json:"strategies"` + + // Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + // This field is deprecated and will be removed in a future version. + // +optional + KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"` +} + +// CredentialIssuerKubeConfigInfo provides the information needed to form a valid Pinniped-based kubeconfig using this credential issuer. +// This type is deprecated and will be removed in a future version. +type CredentialIssuerKubeConfigInfo struct { + // The K8s API server URL. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^https://|^http://` + Server string `json:"server"` + + // The K8s API server CA bundle. + // +kubebuilder:validation:MinLength=1 + CertificateAuthorityData string `json:"certificateAuthorityData"` +} + +// CredentialIssuerStrategy describes the status of an integration strategy that was attempted by Pinniped. +type CredentialIssuerStrategy struct { + // Type of integration attempted. + Type StrategyType `json:"type"` + + // Status of the attempted integration strategy. + Status StrategyStatus `json:"status"` + + // Reason for the current status. + Reason StrategyReason `json:"reason"` + + // Human-readable description of the current status. + // +kubebuilder:validation:MinLength=1 + Message string `json:"message"` + + // When the status was last checked. + LastUpdateTime metav1.Time `json:"lastUpdateTime"` + + // Frontend describes how clients can connect using this strategy. + Frontend *CredentialIssuerFrontend `json:"frontend,omitempty"` +} + +// CredentialIssuerFrontend describes how to connect using a particular integration strategy. +type CredentialIssuerFrontend struct { + // Type describes which frontend mechanism clients can use with a strategy. + Type FrontendType `json:"type"` + + // TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + // This field is only set when Type is "TokenCredentialRequestAPI". + TokenCredentialRequestAPIInfo *TokenCredentialRequestAPIInfo `json:"tokenCredentialRequestInfo,omitempty"` + + // ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + // This field is only set when Type is "ImpersonationProxy". + ImpersonationProxyInfo *ImpersonationProxyInfo `json:"impersonationProxyInfo,omitempty"` +} + +// TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. +type TokenCredentialRequestAPIInfo struct { + // Server is the Kubernetes API server URL. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^https://|^http://` + Server string `json:"server"` + + // CertificateAuthorityData is the base64-encoded Kubernetes API server CA bundle. + // +kubebuilder:validation:MinLength=1 + CertificateAuthorityData string `json:"certificateAuthorityData"` +} + +// ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. +type ImpersonationProxyInfo struct { + // Endpoint is the HTTPS endpoint of the impersonation proxy. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^https://` + Endpoint string `json:"endpoint"` + + // CertificateAuthorityData is the base64-encoded PEM CA bundle of the impersonation proxy. + // +kubebuilder:validation:MinLength=1 + CertificateAuthorityData string `json:"certificateAuthorityData"` +} + +// CredentialIssuer describes the configuration and status of the Pinniped Concierge credential issuer. +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped,scope=Cluster +// +kubebuilder:printcolumn:name="ProxyMode",type=string,JSONPath=`.spec.impersonationProxy.mode` +// +kubebuilder:printcolumn:name="DefaultStrategy",type=string,JSONPath=`.status.strategies[?(@.status == "Success")].type` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type CredentialIssuer struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec describes the intended configuration of the Concierge. + // + // +optional + Spec CredentialIssuerSpec `json:"spec"` + + // CredentialIssuerStatus describes the status of the Concierge. + // + // +optional + Status CredentialIssuerStatus `json:"status"` +} + +// CredentialIssuerList is a list of CredentialIssuer objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type CredentialIssuerList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []CredentialIssuer `json:"items"` +} diff --git a/generated/1.30/apis/concierge/identity/doc.go b/generated/1.30/apis/concierge/identity/doc.go new file mode 100644 index 000000000..130e8942a --- /dev/null +++ b/generated/1.30/apis/concierge/identity/doc.go @@ -0,0 +1,8 @@ +// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=identity.concierge.pinniped.dev + +// Package identity is the internal version of the Pinniped identity API. +package identity diff --git a/generated/1.30/apis/concierge/identity/register.go b/generated/1.30/apis/concierge/identity/register.go new file mode 100644 index 000000000..0cefb8347 --- /dev/null +++ b/generated/1.30/apis/concierge/identity/register.go @@ -0,0 +1,38 @@ +// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package identity + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "identity.concierge.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &WhoAmIRequest{}, + &WhoAmIRequestList{}, + ) + return nil +} diff --git a/generated/1.30/apis/concierge/identity/types_userinfo.go b/generated/1.30/apis/concierge/identity/types_userinfo.go new file mode 100644 index 000000000..65eb50cc4 --- /dev/null +++ b/generated/1.30/apis/concierge/identity/types_userinfo.go @@ -0,0 +1,37 @@ +// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package identity + +import "fmt" + +// KubernetesUserInfo represents the current authenticated user, exactly as Kubernetes understands it. +// Copied from the Kubernetes token review API. +type KubernetesUserInfo struct { + // User is the UserInfo associated with the current user. + User UserInfo + // Audiences are audience identifiers chosen by the authenticator. + Audiences []string +} + +// UserInfo holds the information about the user needed to implement the +// user.Info interface. +type UserInfo struct { + // The name that uniquely identifies this user among all active users. + Username string + // A unique value that identifies this user across time. If this user is + // deleted and another user by the same name is added, they will have + // different UIDs. + UID string + // The names of groups this user is a part of. + Groups []string + // Any additional information provided by the authenticator. + Extra map[string]ExtraValue +} + +// ExtraValue masks the value so protobuf can generate +type ExtraValue []string + +func (t ExtraValue) String() string { + return fmt.Sprintf("%v", []string(t)) +} diff --git a/generated/1.30/apis/concierge/identity/types_whoamirequest.go b/generated/1.30/apis/concierge/identity/types_whoamirequest.go new file mode 100644 index 000000000..a24d803ad --- /dev/null +++ b/generated/1.30/apis/concierge/identity/types_whoamirequest.go @@ -0,0 +1,42 @@ +// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package identity + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// WhoAmIRequest submits a request to echo back the current authenticated user. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type WhoAmIRequest struct { + metav1.TypeMeta + metav1.ObjectMeta + + Spec WhoAmIRequestSpec + Status WhoAmIRequestStatus +} + +// Spec is always empty for a WhoAmIRequest. +type WhoAmIRequestSpec struct { + // empty for now but we may add some config here in the future + // any such config must be safe in the context of an unauthenticated user +} + +// Status is set by the server in the response to a WhoAmIRequest. +type WhoAmIRequestStatus struct { + // The current authenticated user, exactly as Kubernetes understands it. + KubernetesUserInfo KubernetesUserInfo + + // We may add concierge specific information here in the future. +} + +// WhoAmIRequestList is a list of WhoAmIRequest objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type WhoAmIRequestList struct { + metav1.TypeMeta + metav1.ListMeta + + // Items is a list of WhoAmIRequest. + Items []WhoAmIRequest +} diff --git a/generated/1.30/apis/concierge/identity/v1alpha1/conversion.go b/generated/1.30/apis/concierge/identity/v1alpha1/conversion.go new file mode 100644 index 000000000..63ae004e9 --- /dev/null +++ b/generated/1.30/apis/concierge/identity/v1alpha1/conversion.go @@ -0,0 +1,4 @@ +// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 diff --git a/generated/1.30/apis/concierge/identity/v1alpha1/defaults.go b/generated/1.30/apis/concierge/identity/v1alpha1/defaults.go new file mode 100644 index 000000000..15c2bec9b --- /dev/null +++ b/generated/1.30/apis/concierge/identity/v1alpha1/defaults.go @@ -0,0 +1,12 @@ +// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/generated/1.30/apis/concierge/identity/v1alpha1/doc.go b/generated/1.30/apis/concierge/identity/v1alpha1/doc.go new file mode 100644 index 000000000..651223b38 --- /dev/null +++ b/generated/1.30/apis/concierge/identity/v1alpha1/doc.go @@ -0,0 +1,11 @@ +// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=go.pinniped.dev/generated/1.30/apis/concierge/identity +// +k8s:defaulter-gen=TypeMeta +// +groupName=identity.concierge.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped identity API. +package v1alpha1 diff --git a/generated/1.30/apis/concierge/identity/v1alpha1/register.go b/generated/1.30/apis/concierge/identity/v1alpha1/register.go new file mode 100644 index 000000000..0e17d5843 --- /dev/null +++ b/generated/1.30/apis/concierge/identity/v1alpha1/register.go @@ -0,0 +1,43 @@ +// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "identity.concierge.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &WhoAmIRequest{}, + &WhoAmIRequestList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.30/apis/concierge/identity/v1alpha1/types_userinfo.go b/generated/1.30/apis/concierge/identity/v1alpha1/types_userinfo.go new file mode 100644 index 000000000..4e509fc17 --- /dev/null +++ b/generated/1.30/apis/concierge/identity/v1alpha1/types_userinfo.go @@ -0,0 +1,41 @@ +// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import "fmt" + +// KubernetesUserInfo represents the current authenticated user, exactly as Kubernetes understands it. +// Copied from the Kubernetes token review API. +type KubernetesUserInfo struct { + // User is the UserInfo associated with the current user. + User UserInfo `json:"user"` + // Audiences are audience identifiers chosen by the authenticator. + // +optional + Audiences []string `json:"audiences,omitempty"` +} + +// UserInfo holds the information about the user needed to implement the +// user.Info interface. +type UserInfo struct { + // The name that uniquely identifies this user among all active users. + Username string `json:"username"` + // A unique value that identifies this user across time. If this user is + // deleted and another user by the same name is added, they will have + // different UIDs. + // +optional + UID string `json:"uid,omitempty"` + // The names of groups this user is a part of. + // +optional + Groups []string `json:"groups,omitempty"` + // Any additional information provided by the authenticator. + // +optional + Extra map[string]ExtraValue `json:"extra,omitempty"` +} + +// ExtraValue masks the value so protobuf can generate +type ExtraValue []string + +func (t ExtraValue) String() string { + return fmt.Sprintf("%v", []string(t)) +} diff --git a/generated/1.30/apis/concierge/identity/v1alpha1/types_whoamirequest.go b/generated/1.30/apis/concierge/identity/v1alpha1/types_whoamirequest.go new file mode 100644 index 000000000..d70e356c4 --- /dev/null +++ b/generated/1.30/apis/concierge/identity/v1alpha1/types_whoamirequest.go @@ -0,0 +1,45 @@ +// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// WhoAmIRequest submits a request to echo back the current authenticated user. +// +genclient +// +genclient:nonNamespaced +// +genclient:onlyVerbs=create +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type WhoAmIRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec WhoAmIRequestSpec `json:"spec,omitempty"` + Status WhoAmIRequestStatus `json:"status,omitempty"` +} + +// Spec is always empty for a WhoAmIRequest. +type WhoAmIRequestSpec struct { + // empty for now but we may add some config here in the future + // any such config must be safe in the context of an unauthenticated user +} + +// Status is set by the server in the response to a WhoAmIRequest. +type WhoAmIRequestStatus struct { + // The current authenticated user, exactly as Kubernetes understands it. + KubernetesUserInfo KubernetesUserInfo `json:"kubernetesUserInfo"` + + // We may add concierge specific information here in the future. +} + +// WhoAmIRequestList is a list of WhoAmIRequest objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type WhoAmIRequestList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + // Items is a list of WhoAmIRequest. + Items []WhoAmIRequest `json:"items"` +} diff --git a/generated/1.30/apis/concierge/identity/validation/validation.go b/generated/1.30/apis/concierge/identity/validation/validation.go new file mode 100644 index 000000000..501b4f606 --- /dev/null +++ b/generated/1.30/apis/concierge/identity/validation/validation.go @@ -0,0 +1,14 @@ +// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package validation + +import ( + "k8s.io/apimachinery/pkg/util/validation/field" + + identityapi "go.pinniped.dev/generated/1.30/apis/concierge/identity" +) + +func ValidateWhoAmIRequest(whoAmIRequest *identityapi.WhoAmIRequest) field.ErrorList { + return nil // add validation for spec here if we expand it +} diff --git a/generated/1.30/apis/concierge/login/doc.go b/generated/1.30/apis/concierge/login/doc.go new file mode 100644 index 000000000..14af63a2f --- /dev/null +++ b/generated/1.30/apis/concierge/login/doc.go @@ -0,0 +1,8 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=login.concierge.pinniped.dev + +// Package login is the internal version of the Pinniped login API. +package login diff --git a/generated/1.30/apis/concierge/login/register.go b/generated/1.30/apis/concierge/login/register.go new file mode 100644 index 000000000..1c3ba130b --- /dev/null +++ b/generated/1.30/apis/concierge/login/register.go @@ -0,0 +1,38 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package login + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "login.concierge.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &TokenCredentialRequest{}, + &TokenCredentialRequestList{}, + ) + return nil +} diff --git a/generated/1.30/apis/concierge/login/types_clustercredential.go b/generated/1.30/apis/concierge/login/types_clustercredential.go new file mode 100644 index 000000000..77b1550be --- /dev/null +++ b/generated/1.30/apis/concierge/login/types_clustercredential.go @@ -0,0 +1,22 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package login + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ClusterCredential is the cluster-specific credential returned on a successful credential request. It +// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster. +type ClusterCredential struct { + // ExpirationTimestamp indicates a time when the provided credentials expire. + ExpirationTimestamp metav1.Time + + // Token is a bearer token used by the client for request authentication. + Token string + + // PEM-encoded client TLS certificates (including intermediates, if any). + ClientCertificateData string + + // PEM-encoded private key for the above certificate. + ClientKeyData string +} diff --git a/generated/1.30/apis/concierge/login/types_tokencredentialrequest.go b/generated/1.30/apis/concierge/login/types_tokencredentialrequest.go new file mode 100644 index 000000000..a5b90f2be --- /dev/null +++ b/generated/1.30/apis/concierge/login/types_tokencredentialrequest.go @@ -0,0 +1,49 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package login + +import ( + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// Specification of a TokenCredentialRequest, expected on requests to the Pinniped API. +type TokenCredentialRequestSpec struct { + // Bearer token supplied with the credential request. + Token string + + // Reference to an authenticator which can validate this credential request. + Authenticator corev1.TypedLocalObjectReference +} + +// Status of a TokenCredentialRequest, returned on responses to the Pinniped API. +type TokenCredentialRequestStatus struct { + // A Credential will be returned for a successful credential request. + // +optional + Credential *ClusterCredential + + // An error message will be returned for an unsuccessful credential request. + // +optional + Message *string +} + +// TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type TokenCredentialRequest struct { + metav1.TypeMeta + metav1.ObjectMeta + + Spec TokenCredentialRequestSpec + Status TokenCredentialRequestStatus +} + +// TokenCredentialRequestList is a list of TokenCredentialRequest objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type TokenCredentialRequestList struct { + metav1.TypeMeta + metav1.ListMeta + + // Items is a list of TokenCredentialRequest. + Items []TokenCredentialRequest +} diff --git a/generated/1.30/apis/concierge/login/v1alpha1/conversion.go b/generated/1.30/apis/concierge/login/v1alpha1/conversion.go new file mode 100644 index 000000000..dca8bca2e --- /dev/null +++ b/generated/1.30/apis/concierge/login/v1alpha1/conversion.go @@ -0,0 +1,4 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 diff --git a/generated/1.30/apis/concierge/login/v1alpha1/defaults.go b/generated/1.30/apis/concierge/login/v1alpha1/defaults.go new file mode 100644 index 000000000..12f0acd29 --- /dev/null +++ b/generated/1.30/apis/concierge/login/v1alpha1/defaults.go @@ -0,0 +1,12 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/generated/1.30/apis/concierge/login/v1alpha1/doc.go b/generated/1.30/apis/concierge/login/v1alpha1/doc.go new file mode 100644 index 000000000..8bc6dbcee --- /dev/null +++ b/generated/1.30/apis/concierge/login/v1alpha1/doc.go @@ -0,0 +1,11 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=go.pinniped.dev/generated/1.30/apis/concierge/login +// +k8s:defaulter-gen=TypeMeta +// +groupName=login.concierge.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped login API. +package v1alpha1 diff --git a/generated/1.30/apis/concierge/login/v1alpha1/register.go b/generated/1.30/apis/concierge/login/v1alpha1/register.go new file mode 100644 index 000000000..60efec82b --- /dev/null +++ b/generated/1.30/apis/concierge/login/v1alpha1/register.go @@ -0,0 +1,43 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "login.concierge.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &TokenCredentialRequest{}, + &TokenCredentialRequestList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.30/apis/concierge/login/v1alpha1/types_clustercredential.go b/generated/1.30/apis/concierge/login/v1alpha1/types_clustercredential.go new file mode 100644 index 000000000..eb50c7fe3 --- /dev/null +++ b/generated/1.30/apis/concierge/login/v1alpha1/types_clustercredential.go @@ -0,0 +1,22 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ClusterCredential is the cluster-specific credential returned on a successful credential request. It +// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster. +type ClusterCredential struct { + // ExpirationTimestamp indicates a time when the provided credentials expire. + ExpirationTimestamp metav1.Time `json:"expirationTimestamp,omitempty"` + + // Token is a bearer token used by the client for request authentication. + Token string `json:"token,omitempty"` + + // PEM-encoded client TLS certificates (including intermediates, if any). + ClientCertificateData string `json:"clientCertificateData,omitempty"` + + // PEM-encoded private key for the above certificate. + ClientKeyData string `json:"clientKeyData,omitempty"` +} diff --git a/generated/1.30/apis/concierge/login/v1alpha1/types_tokencredentialrequest.go b/generated/1.30/apis/concierge/login/v1alpha1/types_tokencredentialrequest.go new file mode 100644 index 000000000..1bbfe2550 --- /dev/null +++ b/generated/1.30/apis/concierge/login/v1alpha1/types_tokencredentialrequest.go @@ -0,0 +1,52 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// Specification of a TokenCredentialRequest, expected on requests to the Pinniped API. +type TokenCredentialRequestSpec struct { + // Bearer token supplied with the credential request. + Token string `json:"token,omitempty"` + + // Reference to an authenticator which can validate this credential request. + Authenticator corev1.TypedLocalObjectReference `json:"authenticator"` +} + +// Status of a TokenCredentialRequest, returned on responses to the Pinniped API. +type TokenCredentialRequestStatus struct { + // A Credential will be returned for a successful credential request. + // +optional + Credential *ClusterCredential `json:"credential,omitempty"` + + // An error message will be returned for an unsuccessful credential request. + // +optional + Message *string `json:"message,omitempty"` +} + +// TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. +// +genclient +// +genclient:nonNamespaced +// +genclient:onlyVerbs=create +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type TokenCredentialRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec TokenCredentialRequestSpec `json:"spec,omitempty"` + Status TokenCredentialRequestStatus `json:"status,omitempty"` +} + +// TokenCredentialRequestList is a list of TokenCredentialRequest objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type TokenCredentialRequestList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + // Items is a list of TokenCredentialRequest. + Items []TokenCredentialRequest `json:"items"` +} diff --git a/generated/1.30/apis/go.mod b/generated/1.30/apis/go.mod new file mode 100644 index 000000000..95a9244c4 --- /dev/null +++ b/generated/1.30/apis/go.mod @@ -0,0 +1,26 @@ +// This go.mod file is generated by ./hack/update.sh. +module go.pinniped.dev/generated/1.30/apis + +go 1.22.0 + +require ( + k8s.io/api v0.30.0 + k8s.io/apimachinery v0.30.0 +) + +require ( + github.com/go-logr/logr v1.4.1 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/google/gofuzz v1.2.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + golang.org/x/net v0.23.0 // indirect + golang.org/x/text v0.14.0 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + k8s.io/klog/v2 v2.120.1 // indirect + k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect +) diff --git a/generated/1.30/apis/go.sum b/generated/1.30/apis/go.sum new file mode 100644 index 000000000..57dd389b7 --- /dev/null +++ b/generated/1.30/apis/go.sum @@ -0,0 +1,91 @@ +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= +golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA= +k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE= +k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA= +k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= +k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= +sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= +sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= diff --git a/generated/1.30/apis/supervisor/clientsecret/doc.go b/generated/1.30/apis/supervisor/clientsecret/doc.go new file mode 100644 index 000000000..c536bc755 --- /dev/null +++ b/generated/1.30/apis/supervisor/clientsecret/doc.go @@ -0,0 +1,8 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:deepcopy-gen=package +// +groupName=clientsecret.supervisor.pinniped.dev + +// Package clientsecret is the internal version of the Pinniped client secret API. +package clientsecret diff --git a/generated/1.30/apis/supervisor/clientsecret/register.go b/generated/1.30/apis/supervisor/clientsecret/register.go new file mode 100644 index 000000000..8a76f0fec --- /dev/null +++ b/generated/1.30/apis/supervisor/clientsecret/register.go @@ -0,0 +1,38 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package clientsecret + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "clientsecret.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns back a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, + ) + return nil +} diff --git a/generated/1.30/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go b/generated/1.30/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go new file mode 100644 index 000000000..1e58f3d45 --- /dev/null +++ b/generated/1.30/apis/supervisor/clientsecret/types_oidcclientsecretrequest.go @@ -0,0 +1,50 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package clientsecret + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta + metav1.ObjectMeta // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec + + // +optional + Status OIDCClientSecretRequestStatus +} + +// Spec of the OIDCClientSecretRequest. +type OIDCClientSecretRequestSpec struct { + // Request a new client secret to for the OIDCClient referenced by the metadata.name field. + // +optional + GenerateNewSecret bool + + // Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field. + // +optional + RevokeOldSecrets bool +} + +// Status of the OIDCClientSecretRequest. +type OIDCClientSecretRequestStatus struct { + // The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if lost. + GeneratedSecret string + + // The total number of client secrets associated with the OIDCClient referenced by the metadata.name field. + TotalClientSecrets int +} + +// OIDCClientSecretRequestList is a list of OIDCClientSecretRequest objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta + metav1.ListMeta + + // Items is a list of OIDCClientSecretRequest. + Items []OIDCClientSecretRequest +} diff --git a/generated/1.30/apis/supervisor/clientsecret/v1alpha1/conversion.go b/generated/1.30/apis/supervisor/clientsecret/v1alpha1/conversion.go new file mode 100644 index 000000000..fcf4e82f0 --- /dev/null +++ b/generated/1.30/apis/supervisor/clientsecret/v1alpha1/conversion.go @@ -0,0 +1,4 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 diff --git a/generated/1.30/apis/supervisor/clientsecret/v1alpha1/defaults.go b/generated/1.30/apis/supervisor/clientsecret/v1alpha1/defaults.go new file mode 100644 index 000000000..d4f5a9e87 --- /dev/null +++ b/generated/1.30/apis/supervisor/clientsecret/v1alpha1/defaults.go @@ -0,0 +1,12 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/generated/1.30/apis/supervisor/clientsecret/v1alpha1/doc.go b/generated/1.30/apis/supervisor/clientsecret/v1alpha1/doc.go new file mode 100644 index 000000000..ca8b69be7 --- /dev/null +++ b/generated/1.30/apis/supervisor/clientsecret/v1alpha1/doc.go @@ -0,0 +1,11 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=go.pinniped.dev/generated/1.30/apis/supervisor/clientsecret +// +k8s:defaulter-gen=TypeMeta +// +groupName=clientsecret.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API. +package v1alpha1 diff --git a/generated/1.30/apis/supervisor/clientsecret/v1alpha1/register.go b/generated/1.30/apis/supervisor/clientsecret/v1alpha1/register.go new file mode 100644 index 000000000..4660e4078 --- /dev/null +++ b/generated/1.30/apis/supervisor/clientsecret/v1alpha1/register.go @@ -0,0 +1,43 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "clientsecret.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = SchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCClientSecretRequest{}, + &OIDCClientSecretRequestList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns back a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.30/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go b/generated/1.30/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go new file mode 100644 index 000000000..c30d84387 --- /dev/null +++ b/generated/1.30/apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go @@ -0,0 +1,53 @@ +// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient. +// +genclient +// +genclient:onlyVerbs=create +// +kubebuilder:subresource:status +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequest struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID + + Spec OIDCClientSecretRequestSpec `json:"spec"` + + // +optional + Status OIDCClientSecretRequestStatus `json:"status"` +} + +// Spec of the OIDCClientSecretRequest. +type OIDCClientSecretRequestSpec struct { + // Request a new client secret to for the OIDCClient referenced by the metadata.name field. + // +optional + GenerateNewSecret bool `json:"generateNewSecret"` + + // Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field. + // +optional + RevokeOldSecrets bool `json:"revokeOldSecrets"` +} + +// Status of the OIDCClientSecretRequest. +type OIDCClientSecretRequestStatus struct { + // The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if lost. + GeneratedSecret string `json:"generatedSecret,omitempty"` + + // The total number of client secrets associated with the OIDCClient referenced by the metadata.name field. + TotalClientSecrets int `json:"totalClientSecrets"` +} + +// OIDCClientSecretRequestList is a list of OIDCClientSecretRequest objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientSecretRequestList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + // Items is a list of OIDCClientSecretRequest. + Items []OIDCClientSecretRequest `json:"items"` +} diff --git a/generated/1.30/apis/supervisor/config/v1alpha1/doc.go b/generated/1.30/apis/supervisor/config/v1alpha1/doc.go new file mode 100644 index 000000000..45586c4bd --- /dev/null +++ b/generated/1.30/apis/supervisor/config/v1alpha1/doc.go @@ -0,0 +1,11 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=go.pinniped.dev/generated/1.30/apis/supervisor/config +// +k8s:defaulter-gen=TypeMeta +// +groupName=config.supervisor.pinniped.dev + +// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuration API. +package v1alpha1 diff --git a/generated/1.30/apis/supervisor/config/v1alpha1/register.go b/generated/1.30/apis/supervisor/config/v1alpha1/register.go new file mode 100644 index 000000000..54c51699d --- /dev/null +++ b/generated/1.30/apis/supervisor/config/v1alpha1/register.go @@ -0,0 +1,45 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "config.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &FederationDomain{}, + &FederationDomainList{}, + &OIDCClient{}, + &OIDCClientList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.30/apis/supervisor/config/v1alpha1/types_federationdomain.go b/generated/1.30/apis/supervisor/config/v1alpha1/types_federationdomain.go new file mode 100644 index 000000000..95f7da282 --- /dev/null +++ b/generated/1.30/apis/supervisor/config/v1alpha1/types_federationdomain.go @@ -0,0 +1,312 @@ +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type FederationDomainPhase string + +const ( + // FederationDomainPhasePending is the default phase for newly-created FederationDomain resources. + FederationDomainPhasePending FederationDomainPhase = "Pending" + + // FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state. + FederationDomainPhaseReady FederationDomainPhase = "Ready" + + // FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state. + FederationDomainPhaseError FederationDomainPhase = "Error" +) + +// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider. +type FederationDomainTLSSpec struct { + // SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + // the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + // named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + // for TLS. + // + // Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + // + // SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + // SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + // SecretName value even if they have different port numbers. + // + // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + // configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + // It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + // use the default TLS certificate, which is configured elsewhere. + // + // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. + // + // +optional + SecretName string `json:"secretName,omitempty"` +} + +// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to +// the transform expressions. This is a union type, and Type is the discriminator field. +type FederationDomainTransformsConstant struct { + // Name determines the name of the constant. It must be a valid identifier name. + // +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$` + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=64 + Name string `json:"name"` + + // Type determines the type of the constant, and indicates which other field should be non-empty. + // +kubebuilder:validation:Enum=string;stringList + Type string `json:"type"` + + // StringValue should hold the value when Type is "string", and is otherwise ignored. + // +optional + StringValue string `json:"stringValue,omitempty"` + + // StringListValue should hold the value when Type is "stringList", and is otherwise ignored. + // +optional + StringListValue []string `json:"stringListValue,omitempty"` +} + +// FederationDomainTransformsExpression defines a transform expression. +type FederationDomainTransformsExpression struct { + // Type determines the type of the expression. It must be one of the supported types. + // +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1 + Type string `json:"type"` + + // Expression is a CEL expression that will be evaluated based on the Type during an authentication. + // +kubebuilder:validation:MinLength=1 + Expression string `json:"expression"` + + // Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + // an authentication attempt. When empty, a default message will be used. + // +optional + Message string `json:"message,omitempty"` +} + +// FederationDomainTransformsExample defines a transform example. +type FederationDomainTransformsExample struct { + // Username is the input username. + // +kubebuilder:validation:MinLength=1 + Username string `json:"username"` + + // Groups is the input list of group names. + // +optional + Groups []string `json:"groups,omitempty"` + + // Expects is the expected output of the entire sequence of transforms when they are run against the + // input Username and Groups. + Expects FederationDomainTransformsExampleExpects `json:"expects"` +} + +// FederationDomainTransformsExampleExpects defines the expected result for a transforms example. +type FederationDomainTransformsExampleExpects struct { + // Username is the expected username after the transformations have been applied. + // +optional + Username string `json:"username,omitempty"` + + // Groups is the expected list of group names after the transformations have been applied. + // +optional + Groups []string `json:"groups,omitempty"` + + // Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + // after the transformations have been applied. True means that it is expected that the authentication would be + // rejected. The default value of false means that it is expected that the authentication would not be rejected + // by any policy expression. + // +optional + Rejected bool `json:"rejected,omitempty"` + + // Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + // message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + // then Message will be treated as the default error message for authentication attempts which are rejected by a + // policy. When Rejected is false, then Message is the expected error message for some other non-policy + // transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. + // +optional + Message string `json:"message,omitempty"` +} + +// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain. +type FederationDomainTransforms struct { + // Constants defines constant variables and their values which will be made available to the transform expressions. + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + // +optional + Constants []FederationDomainTransformsConstant `json:"constants,omitempty"` + + // Expressions are an optional list of transforms and policies to be executed in the order given during every + // authentication attempt, including during every session refresh. + // Each is a CEL expression. It may use the basic CEL language as defined in + // https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + // https://github.com/google/cel-go/tree/master/ext#strings. + // + // The username and groups extracted from the identity provider, and the constants defined in this CR, are + // available as variables in all expressions. The username is provided via a variable called `username` and + // the list of group names is provided via a variable called `groups` (which may be an empty list). + // Each user-provided constants is provided via a variable named `strConst.varName` for string constants + // and `strListConst.varName` for string list constants. + // + // The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + // Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + // and the authentication attempt is rejected. + // Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + // username or group names. + // Each username/v1 transform must return the new username (a string), which can be the same as the old username. + // Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + // Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + // groups list. + // Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + // After each expression, the new (potentially changed) username or groups get passed to the following expression. + // + // Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + // During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + // authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + // and group names have been decided for that authentication attempt. + // + // +optional + Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"` + + // Examples can optionally be used to ensure that the sequence of transformation expressions are working as + // expected. Examples define sample input identities which are then run through the expression list, and the + // results are compared to the expected results. If any example in this list fails, then this + // identity provider will not be available for use within this FederationDomain, and the error(s) will be + // added to the FederationDomain status. This can be used to help guard against programming mistakes in the + // expressions, and also act as living documentation for other administrators to better understand the expressions. + // +optional + Examples []FederationDomainTransformsExample `json:"examples,omitempty"` +} + +// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. +type FederationDomainIdentityProvider struct { + // DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + // kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + // disruptive change for those users. + // +kubebuilder:validation:MinLength=1 + DisplayName string `json:"displayName"` + + // ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + // If the reference cannot be resolved then the identity provider will not be made available. + // Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + // LDAPIdentityProvider, ActiveDirectoryIdentityProvider. + ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"` + + // Transforms is an optional way to specify transformations to be applied during user authentication and + // session refresh. + // +optional + Transforms FederationDomainTransforms `json:"transforms,omitempty"` +} + +// FederationDomainSpec is a struct that describes an OIDC Provider. +type FederationDomainSpec struct { + // Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + // identifier that it will use for the iss claim in issued JWTs. This field will also be used as + // the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + // https://example.com/foo, then your authorization endpoint will look like + // https://example.com/foo/some/path/to/auth/endpoint). + // + // See + // https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. + // +kubebuilder:validation:MinLength=1 + Issuer string `json:"issuer"` + + // TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain. + // +optional + TLS *FederationDomainTLSSpec `json:"tls,omitempty"` + + // IdentityProviders is the list of identity providers available for use by this FederationDomain. + // + // An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + // how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + // extract a normalized user identity. Normalized user identities include a username and a list of group names. + // In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + // belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + // on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + // accidental conflicts when multiple identity providers have different users with the same username (e.g. + // "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + // rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + // the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + // disallow the authentication unless the user belongs to a specific group in the identity provider. + // + // For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + // an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + // exist in the same namespace, but also to reject all authentication requests when there is more than one identity + // provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + // (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + // FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + // relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + // explicitly list the identity provider using this IdentityProviders field. + // + // +optional + IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"` +} + +// FederationDomainSecrets holds information about this OIDC Provider's secrets. +type FederationDomainSecrets struct { + // JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + // stored. If it is empty, then the signing/verification keys are either unknown or they don't + // exist. + // +optional + JWKS corev1.LocalObjectReference `json:"jwks,omitempty"` + + // TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + // signing tokens is stored. + // +optional + TokenSigningKey corev1.LocalObjectReference `json:"tokenSigningKey,omitempty"` + + // StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + // signing state parameters is stored. + // +optional + StateSigningKey corev1.LocalObjectReference `json:"stateSigningKey,omitempty"` + + // StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + // encrypting state parameters is stored. + // +optional + StateEncryptionKey corev1.LocalObjectReference `json:"stateEncryptionKey,omitempty"` +} + +// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider. +type FederationDomainStatus struct { + // Phase summarizes the overall status of the FederationDomain. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase FederationDomainPhase `json:"phase,omitempty"` + + // Conditions represent the observations of an FederationDomain's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + + // Secrets contains information about this OIDC Provider's secrets. + // +optional + Secrets FederationDomainSecrets `json:"secrets,omitempty"` +} + +// FederationDomain describes the configuration of an OIDC provider. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type FederationDomain struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec of the OIDC provider. + Spec FederationDomainSpec `json:"spec"` + + // Status of the OIDC provider. + Status FederationDomainStatus `json:"status,omitempty"` +} + +// List of FederationDomain objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type FederationDomainList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []FederationDomain `json:"items"` +} diff --git a/generated/1.30/apis/supervisor/config/v1alpha1/types_oidcclient.go b/generated/1.30/apis/supervisor/config/v1alpha1/types_oidcclient.go new file mode 100644 index 000000000..61106fdba --- /dev/null +++ b/generated/1.30/apis/supervisor/config/v1alpha1/types_oidcclient.go @@ -0,0 +1,122 @@ +// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type OIDCClientPhase string + +const ( + // OIDCClientPhasePending is the default phase for newly-created OIDCClient resources. + OIDCClientPhasePending OIDCClientPhase = "Pending" + + // OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state. + OIDCClientPhaseReady OIDCClientPhase = "Ready" + + // OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state. + OIDCClientPhaseError OIDCClientPhase = "Error" +) + +// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/` +type RedirectURI string + +// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange" +type GrantType string + +// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience" +type Scope string + +// OIDCClientSpec is a struct that describes an OIDCClient. +type OIDCClientSpec struct { + // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + // client. Any other uris will be rejected. + // Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + // Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. + // +listType=set + // +kubebuilder:validation:MinItems=1 + AllowedRedirectURIs []RedirectURI `json:"allowedRedirectURIs"` + + // allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + // client. + // + // Must only contain the following values: + // - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + // authenticate users. This grant must always be listed. + // - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + // This grant must be listed if allowedScopes lists offline_access. + // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // This grant must be listed if allowedScopes lists pinniped:request-audience. + // +listType=set + // +kubebuilder:validation:MinItems=1 + AllowedGrantTypes []GrantType `json:"allowedGrantTypes"` + + // allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + // + // Must only contain the following values: + // - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + // This scope must always be listed. + // - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + // This scope must be listed if allowedGrantTypes lists refresh_token. + // - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + // which is a step in the process to be able to get a cluster credential for the user. + // openid, username and groups scopes must be listed when this scope is present. + // This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + // - username: The client is allowed to request that ID tokens contain the user's username. + // Without the username scope being requested and allowed, the ID token will not contain the user's username. + // - groups: The client is allowed to request that ID tokens contain the user's group membership, + // if their group membership is discoverable by the Supervisor. + // Without the groups scope being requested and allowed, the ID token will not contain groups. + // +listType=set + // +kubebuilder:validation:MinItems=1 + AllowedScopes []Scope `json:"allowedScopes"` +} + +// OIDCClientStatus is a struct that describes the actual state of an OIDCClient. +type OIDCClientStatus struct { + // phase summarizes the overall status of the OIDCClient. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase OIDCClientPhase `json:"phase,omitempty"` + + // conditions represent the observations of an OIDCClient's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` + + // totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + // +optional + TotalClientSecrets int32 `json:"totalClientSecrets"` // do not omitempty to allow it to show in the printer column even when it is 0 +} + +// OIDCClient describes the configuration of an OIDC client. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped +// +kubebuilder:printcolumn:name="Privileged Scopes",type=string,JSONPath=`.spec.allowedScopes[?(@ == "pinniped:request-audience")]` +// +kubebuilder:printcolumn:name="Client Secrets",type=integer,JSONPath=`.status.totalClientSecrets` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type OIDCClient struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec of the OIDC client. + Spec OIDCClientSpec `json:"spec"` + + // Status of the OIDC client. + Status OIDCClientStatus `json:"status,omitempty"` +} + +// List of OIDCClient objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCClientList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCClient `json:"items"` +} diff --git a/generated/1.30/apis/supervisor/idp/v1alpha1/doc.go b/generated/1.30/apis/supervisor/idp/v1alpha1/doc.go new file mode 100644 index 000000000..a9e91c47e --- /dev/null +++ b/generated/1.30/apis/supervisor/idp/v1alpha1/doc.go @@ -0,0 +1,11 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:defaulter-gen=TypeMeta +// +groupName=idp.supervisor.pinniped.dev +// +groupGoName=IDP + +// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity provider (IDP) API. +package v1alpha1 diff --git a/generated/1.30/apis/supervisor/idp/v1alpha1/register.go b/generated/1.30/apis/supervisor/idp/v1alpha1/register.go new file mode 100644 index 000000000..8829a8638 --- /dev/null +++ b/generated/1.30/apis/supervisor/idp/v1alpha1/register.go @@ -0,0 +1,47 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "idp.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &OIDCIdentityProvider{}, + &OIDCIdentityProviderList{}, + &LDAPIdentityProvider{}, + &LDAPIdentityProviderList{}, + &ActiveDirectoryIdentityProvider{}, + &ActiveDirectoryIdentityProviderList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.30/apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go b/generated/1.30/apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go new file mode 100644 index 000000000..63fb1b550 --- /dev/null +++ b/generated/1.30/apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go @@ -0,0 +1,219 @@ +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type ActiveDirectoryIdentityProviderPhase string + +const ( + // ActiveDirectoryPhasePending is the default phase for newly-created ActiveDirectoryIdentityProvider resources. + ActiveDirectoryPhasePending ActiveDirectoryIdentityProviderPhase = "Pending" + + // ActiveDirectoryPhaseReady is the phase for an ActiveDirectoryIdentityProvider resource in a healthy state. + ActiveDirectoryPhaseReady ActiveDirectoryIdentityProviderPhase = "Ready" + + // ActiveDirectoryPhaseError is the phase for an ActiveDirectoryIdentityProvider in an unhealthy state. + ActiveDirectoryPhaseError ActiveDirectoryIdentityProviderPhase = "Error" +) + +// Status of an Active Directory identity provider. +type ActiveDirectoryIdentityProviderStatus struct { + // Phase summarizes the overall status of the ActiveDirectoryIdentityProvider. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase ActiveDirectoryIdentityProviderPhase `json:"phase,omitempty"` + + // Represents the observations of an identity provider's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +type ActiveDirectoryIdentityProviderBind struct { + // SecretName contains the name of a namespace-local Secret object that provides the username and + // password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + // of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + // should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + // The password must be non-empty. + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName"` +} + +type ActiveDirectoryIdentityProviderUserSearchAttributes struct { + // Username specifies the name of the attribute in Active Directory entry whose value shall become the username + // of the user after a successful authentication. + // Optional, when empty this defaults to "userPrincipalName". + // +optional + Username string `json:"username,omitempty"` + + // UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + // identify the user within this ActiveDirectory provider after a successful authentication. + // Optional, when empty this defaults to "objectGUID". + // +optional + UID string `json:"uid,omitempty"` +} + +type ActiveDirectoryIdentityProviderGroupSearchAttributes struct { + // GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + // in the user's list of groups after a successful authentication. + // The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + // server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + // Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + // where domain is constructed from the domain components of the group DN. + // +optional + GroupName string `json:"groupName,omitempty"` +} + +type ActiveDirectoryIdentityProviderUserSearch struct { + // Base is the dn (distinguished name) that should be used as the search base when searching for users. + // E.g. "ou=users,dc=example,dc=com". + // Optional, when not specified it will be based on the result of a query for the defaultNamingContext + // (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + // The default behavior searches your entire domain for users. + // It may make sense to specify a subtree as a search base if you wish to exclude some users + // or to make searches faster. + // +optional + Base string `json:"base,omitempty"` + + // Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + // in the filter at least once and will be dynamically replaced by the username for which the search is being run. + // E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + // https://ldap.com/ldap-filters. + // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + // Optional. When not specified, the default will be + // '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + // This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + // and is not shown in advanced view only + // (which would likely mean its a system created service account with advanced permissions). + // Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. + // +optional + Filter string `json:"filter,omitempty"` + + // Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + // the result of the user search. + // +optional + Attributes ActiveDirectoryIdentityProviderUserSearchAttributes `json:"attributes,omitempty"` +} + +type ActiveDirectoryIdentityProviderGroupSearch struct { + // Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + // "ou=groups,dc=example,dc=com". + // Optional, when not specified it will be based on the result of a query for the defaultNamingContext + // (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + // The default behavior searches your entire domain for groups. + // It may make sense to specify a subtree as a search base if you wish to exclude some groups + // for security reasons or to make searches faster. + // +optional + Base string `json:"base,omitempty"` + + // Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + // value of an attribute of the user entry found as a result of the user search. Which attribute's + // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + // E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + // For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. + // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + // Optional. When not specified, the default will act as if the filter were specified as + // "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + // This searches nested groups by default. + // Note that nested group search can be slow for some Active Directory servers. To disable it, + // you can set the filter to + // "(&(objectClass=group)(member={})" + // +optional + Filter string `json:"filter,omitempty"` + + // UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + // the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + // For example, specifying "uid" as the UserAttributeForFilter while specifying + // "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + // the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + // Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + // UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + // would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. + // +optional + UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"` + + // Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + // the result of the group search. + // +optional + Attributes ActiveDirectoryIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"` + + // The user's group membership is refreshed as they interact with the supervisor + // to obtain new credentials (as their old credentials expire). This allows group + // membership changes to be quickly reflected into Kubernetes clusters. Since + // group membership is often used to bind authorization policies, it is important + // to keep the groups observed in Kubernetes clusters in-sync with the identity + // provider. + // + // In some environments, frequent group membership queries may result in a + // significant performance impact on the identity provider and/or the supervisor. + // The best approach to handle performance impacts is to tweak the group query + // to be more performant, for example by disabling nested group search or by + // using a more targeted group search base. + // + // If the group search query cannot be made performant and you are willing to + // have group memberships remain static for approximately a day, then set + // skipGroupRefresh to true. This is an insecure configuration as authorization + // policies that are bound to group membership will not notice if a user has + // been removed from a particular group until their next login. + // + // This is an experimental feature that may be removed or significantly altered + // in the future. Consumers of this configuration should carefully read all + // release notes before upgrading to ensure that the meaning of this field has + // not changed. + SkipGroupRefresh bool `json:"skipGroupRefresh,omitempty"` +} + +// Spec for configuring an ActiveDirectory identity provider. +type ActiveDirectoryIdentityProviderSpec struct { + // Host is the hostname of this Active Directory identity provider, i.e., where to connect. For example: ldap.example.com:636. + // +kubebuilder:validation:MinLength=1 + Host string `json:"host"` + + // TLS contains the connection settings for how to establish the connection to the Host. + TLS *TLSSpec `json:"tls,omitempty"` + + // Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + // to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. + Bind ActiveDirectoryIdentityProviderBind `json:"bind,omitempty"` + + // UserSearch contains the configuration for searching for a user by name in Active Directory. + UserSearch ActiveDirectoryIdentityProviderUserSearch `json:"userSearch,omitempty"` + + // GroupSearch contains the configuration for searching for a user's group membership in ActiveDirectory. + GroupSearch ActiveDirectoryIdentityProviderGroupSearch `json:"groupSearch,omitempty"` +} + +// ActiveDirectoryIdentityProvider describes the configuration of an upstream Microsoft Active Directory identity provider. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type ActiveDirectoryIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec ActiveDirectoryIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status ActiveDirectoryIdentityProviderStatus `json:"status,omitempty"` +} + +// List of ActiveDirectoryIdentityProvider objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type ActiveDirectoryIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []ActiveDirectoryIdentityProvider `json:"items"` +} diff --git a/generated/1.30/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go b/generated/1.30/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go new file mode 100644 index 000000000..68200c51c --- /dev/null +++ b/generated/1.30/apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go @@ -0,0 +1,207 @@ +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type LDAPIdentityProviderPhase string + +const ( + // LDAPPhasePending is the default phase for newly-created LDAPIdentityProvider resources. + LDAPPhasePending LDAPIdentityProviderPhase = "Pending" + + // LDAPPhaseReady is the phase for an LDAPIdentityProvider resource in a healthy state. + LDAPPhaseReady LDAPIdentityProviderPhase = "Ready" + + // LDAPPhaseError is the phase for an LDAPIdentityProvider in an unhealthy state. + LDAPPhaseError LDAPIdentityProviderPhase = "Error" +) + +// Status of an LDAP identity provider. +type LDAPIdentityProviderStatus struct { + // Phase summarizes the overall status of the LDAPIdentityProvider. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase LDAPIdentityProviderPhase `json:"phase,omitempty"` + + // Represents the observations of an identity provider's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +type LDAPIdentityProviderBind struct { + // SecretName contains the name of a namespace-local Secret object that provides the username and + // password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + // of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + // should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + // The password must be non-empty. + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName"` +} + +type LDAPIdentityProviderUserSearchAttributes struct { + // Username specifies the name of the attribute in the LDAP entry whose value shall become the username + // of the user after a successful authentication. This would typically be the same attribute name used in + // the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + // The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + // server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + // is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + // value of "dn={}" would not work. + // +kubebuilder:validation:MinLength=1 + Username string `json:"username,omitempty"` + + // UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + // identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + // The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + // server in the user's entry. Distinguished names can be used by specifying lower-case "dn". + // +kubebuilder:validation:MinLength=1 + UID string `json:"uid,omitempty"` +} + +type LDAPIdentityProviderGroupSearchAttributes struct { + // GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name + // in the user's list of groups after a successful authentication. + // The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + // server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + // Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). + // +optional + GroupName string `json:"groupName,omitempty"` +} + +type LDAPIdentityProviderUserSearch struct { + // Base is the dn (distinguished name) that should be used as the search base when searching for users. + // E.g. "ou=users,dc=example,dc=com". + // +kubebuilder:validation:MinLength=1 + Base string `json:"base,omitempty"` + + // Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + // in the filter at least once and will be dynamically replaced by the username for which the search is being run. + // E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + // https://ldap.com/ldap-filters. + // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + // Optional. When not specified, the default will act as if the Filter were specified as the value from + // Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + // explicitly specified, since the default value of "dn={}" would not work. + // +optional + Filter string `json:"filter,omitempty"` + + // Attributes specifies how the user's information should be read from the LDAP entry which was found as + // the result of the user search. + // +optional + Attributes LDAPIdentityProviderUserSearchAttributes `json:"attributes,omitempty"` +} + +type LDAPIdentityProviderGroupSearch struct { + // Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + // "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + // authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + // the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. + // +optional + Base string `json:"base,omitempty"` + + // Filter is the LDAP search filter which should be applied when searching for groups for a user. + // The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + // value of an attribute of the user entry found as a result of the user search. Which attribute's + // value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + // For more information about LDAP filters, see https://ldap.com/ldap-filters. + // Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + // Optional. When not specified, the default will act as if the Filter were specified as "member={}". + // +optional + Filter string `json:"filter,omitempty"` + + // UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + // the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + // For example, specifying "uid" as the UserAttributeForFilter while specifying + // "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + // the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + // Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + // UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + // would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. + // +optional + UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"` + + // Attributes specifies how the group's information should be read from each LDAP entry which was found as + // the result of the group search. + // +optional + Attributes LDAPIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"` + + // The user's group membership is refreshed as they interact with the supervisor + // to obtain new credentials (as their old credentials expire). This allows group + // membership changes to be quickly reflected into Kubernetes clusters. Since + // group membership is often used to bind authorization policies, it is important + // to keep the groups observed in Kubernetes clusters in-sync with the identity + // provider. + // + // In some environments, frequent group membership queries may result in a + // significant performance impact on the identity provider and/or the supervisor. + // The best approach to handle performance impacts is to tweak the group query + // to be more performant, for example by disabling nested group search or by + // using a more targeted group search base. + // + // If the group search query cannot be made performant and you are willing to + // have group memberships remain static for approximately a day, then set + // skipGroupRefresh to true. This is an insecure configuration as authorization + // policies that are bound to group membership will not notice if a user has + // been removed from a particular group until their next login. + // + // This is an experimental feature that may be removed or significantly altered + // in the future. Consumers of this configuration should carefully read all + // release notes before upgrading to ensure that the meaning of this field has + // not changed. + SkipGroupRefresh bool `json:"skipGroupRefresh,omitempty"` +} + +// Spec for configuring an LDAP identity provider. +type LDAPIdentityProviderSpec struct { + // Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636. + // +kubebuilder:validation:MinLength=1 + Host string `json:"host"` + + // TLS contains the connection settings for how to establish the connection to the Host. + TLS *TLSSpec `json:"tls,omitempty"` + + // Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + // to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. + Bind LDAPIdentityProviderBind `json:"bind,omitempty"` + + // UserSearch contains the configuration for searching for a user by name in the LDAP provider. + UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"` + + // GroupSearch contains the configuration for searching for a user's group membership in the LDAP provider. + GroupSearch LDAPIdentityProviderGroupSearch `json:"groupSearch,omitempty"` +} + +// LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access +// Protocol (LDAP) identity provider. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type LDAPIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec LDAPIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status LDAPIdentityProviderStatus `json:"status,omitempty"` +} + +// List of LDAPIdentityProvider objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type LDAPIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []LDAPIdentityProvider `json:"items"` +} diff --git a/generated/1.30/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go b/generated/1.30/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go new file mode 100644 index 000000000..bdbff063e --- /dev/null +++ b/generated/1.30/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go @@ -0,0 +1,217 @@ +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type OIDCIdentityProviderPhase string + +const ( + // PhasePending is the default phase for newly-created OIDCIdentityProvider resources. + PhasePending OIDCIdentityProviderPhase = "Pending" + + // PhaseReady is the phase for an OIDCIdentityProvider resource in a healthy state. + PhaseReady OIDCIdentityProviderPhase = "Ready" + + // PhaseError is the phase for an OIDCIdentityProvider in an unhealthy state. + PhaseError OIDCIdentityProviderPhase = "Error" +) + +// OIDCIdentityProviderStatus is the status of an OIDC identity provider. +type OIDCIdentityProviderStatus struct { + // Phase summarizes the overall status of the OIDCIdentityProvider. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase OIDCIdentityProviderPhase `json:"phase,omitempty"` + + // Represents the observations of an identity provider's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization +// request parameters. +type OIDCAuthorizationConfig struct { + // additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + // request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + // Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + // always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + // the following scopes: "openid", "offline_access", "email", and "profile". See + // https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + // scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + // "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + // or as common patterns used by providers who implement the standard in the ecosystem evolve. + // By setting this list to anything other than an empty list, you are overriding the + // default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + // If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + // Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + // may wish to include it in this list. Sometimes the scope to request the user's group membership is called + // "groups", but unfortunately this is not specified in the OIDC standard. + // Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + // your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + // the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + // your OIDC provider's documentation for more information about what scopes are available to request claims. + // Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + // from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + // "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + // requirements for what to include in the request in order to receive a refresh token in the response, if anything. + // Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + // may ignore scopes that it does not understand or require (see + // https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + // "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + // provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). + // +optional + AdditionalScopes []string `json:"additionalScopes,omitempty"` + + // additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + // OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + // parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + // "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + // included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + // The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + // should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + // ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + // This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + // Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + // Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + // parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + // authorization endpoint for its requirements for what to include in the request in order to receive a refresh + // token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + // then include it here. Also note that most providers also require a certain scope to be requested in order to + // receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + // refresh tokens. + // +optional + // +patchMergeKey=name + // +patchStrategy=merge + // +listType=map + // +listMapKey=name + AdditionalAuthorizeParameters []Parameter `json:"additionalAuthorizeParameters,omitempty"` + + // allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + // (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + // username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + // The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + // supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + // Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + // to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + // cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + // convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + // actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + // you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + // OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + // Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + // (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + // web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + // allowPasswordGrant defaults to false. + // +optional + AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"` +} + +// Parameter is a key/value pair which represents a parameter in an HTTP request. +type Parameter struct { + // The name of the parameter. Required. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + + // The value of the parameter. + // +optional + Value string `json:"value,omitempty"` +} + +// OIDCClaims provides a mapping from upstream claims into identities. +type OIDCClaims struct { + // Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + // the groups to which an identity belongs. By default, the identities will not include any group memberships when + // this setting is not configured. + // +optional + Groups string `json:"groups"` + + // Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + // ascertain an identity's username. When not set, the username will be an automatically constructed unique string + // which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + // the ID token. + // +optional + Username string `json:"username"` + + // AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + // "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + // new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + // under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + // OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + // This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + // used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + // are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. + // +optional + AdditionalClaimMappings map[string]string `json:"additionalClaimMappings,omitempty"` +} + +// OIDCClient contains information about an OIDC client (e.g., client ID and client +// secret). +type OIDCClient struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + // struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + // "clientID" and "clientSecret". + SecretName string `json:"secretName"` +} + +// OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider. +type OIDCIdentityProviderSpec struct { + // Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + // /.well-known/openid-configuration. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^https://` + Issuer string `json:"issuer"` + + // TLS configuration for discovery/JWKS requests to the issuer. + // +optional + TLS *TLSSpec `json:"tls,omitempty"` + + // AuthorizationConfig holds information about how to form the OAuth2 authorization request + // parameters to be used with this OIDC identity provider. + // +optional + AuthorizationConfig OIDCAuthorizationConfig `json:"authorizationConfig,omitempty"` + + // Claims provides the names of token claims that will be used when inspecting an identity from + // this OIDC identity provider. + // +optional + Claims OIDCClaims `json:"claims"` + + // OIDCClient contains OIDC client information to be used used with this OIDC identity + // provider. + Client OIDCClient `json:"client"` +} + +// OIDCIdentityProvider describes the configuration of an upstream OpenID Connect identity provider. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type OIDCIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec OIDCIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status OIDCIdentityProviderStatus `json:"status,omitempty"` +} + +// OIDCIdentityProviderList lists OIDCIdentityProvider objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type OIDCIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []OIDCIdentityProvider `json:"items"` +} diff --git a/generated/1.30/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.30/apis/supervisor/idp/v1alpha1/types_tls.go new file mode 100644 index 000000000..1413a262c --- /dev/null +++ b/generated/1.30/apis/supervisor/idp/v1alpha1/types_tls.go @@ -0,0 +1,11 @@ +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +// Configuration for TLS parameters related to identity provider integration. +type TLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` +} diff --git a/generated/1.30/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go b/generated/1.30/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go new file mode 100644 index 000000000..ea0550904 --- /dev/null +++ b/generated/1.30/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go @@ -0,0 +1,66 @@ +// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +// IDPType are the strings that can be returned by the Supervisor identity provider discovery endpoint +// as the "type" of each returned identity provider. +type IDPType string + +// IDPFlow are the strings that can be returned by the Supervisor identity provider discovery endpoint +// in the array of allowed client "flows" for each returned identity provider. +type IDPFlow string + +const ( + IDPTypeOIDC IDPType = "oidc" + IDPTypeLDAP IDPType = "ldap" + IDPTypeActiveDirectory IDPType = "activedirectory" + + IDPFlowCLIPassword IDPFlow = "cli_password" + IDPFlowBrowserAuthcode IDPFlow = "browser_authcode" +) + +// Equals is a convenience function for comparing an IDPType to a string. +func (r IDPType) Equals(s string) bool { + return string(r) == s +} + +// String is a convenience function to convert an IDPType to a string. +func (r IDPType) String() string { + return string(r) +} + +// Equals is a convenience function for comparing an IDPFlow to a string. +func (r IDPFlow) Equals(s string) bool { + return string(r) == s +} + +// String is a convenience function to convert an IDPFlow to a string. +func (r IDPFlow) String() string { + return string(r) +} + +// OIDCDiscoveryResponse is part of the response from a FederationDomain's OpenID Provider Configuration +// Document returned by the .well-known/openid-configuration endpoint. It ignores all the standard OpenID Provider +// configuration metadata and only picks out the portion related to Supervisor identity provider discovery. +type OIDCDiscoveryResponse struct { + SupervisorDiscovery OIDCDiscoveryResponseIDPEndpoint `json:"discovery.supervisor.pinniped.dev/v1alpha1"` +} + +// OIDCDiscoveryResponseIDPEndpoint contains the URL for the identity provider discovery endpoint. +type OIDCDiscoveryResponseIDPEndpoint struct { + PinnipedIDPsEndpoint string `json:"pinniped_identity_providers_endpoint"` +} + +// IDPDiscoveryResponse is the response of a FederationDomain's identity provider discovery endpoint. +type IDPDiscoveryResponse struct { + PinnipedIDPs []PinnipedIDP `json:"pinniped_identity_providers"` +} + +// PinnipedIDP describes a single identity provider as included in the response of a FederationDomain's +// identity provider discovery endpoint. +type PinnipedIDP struct { + Name string `json:"name"` + Type IDPType `json:"type"` + Flows []IDPFlow `json:"flows,omitempty"` +} diff --git a/generated/1.30/apis/supervisor/oidc/types_supervisor_oidc.go b/generated/1.30/apis/supervisor/oidc/types_supervisor_oidc.go new file mode 100644 index 000000000..f421ecaf6 --- /dev/null +++ b/generated/1.30/apis/supervisor/oidc/types_supervisor_oidc.go @@ -0,0 +1,90 @@ +// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package oidc + +// Constants related to the Supervisor FederationDomain's authorization and token endpoints. +const ( + // AuthorizeUsernameHeaderName is the name of the HTTP header which can be used to transmit a username + // to the authorize endpoint when using a password flow, for example an OIDCIdentityProvider with a password grant + // or an LDAPIdentityProvider. + AuthorizeUsernameHeaderName = "Pinniped-Username" + + // AuthorizePasswordHeaderName is the name of the HTTP header which can be used to transmit a password + // to the authorize endpoint when using a password flow, for example an OIDCIdentityProvider with a password grant + // or an LDAPIdentityProvider. + AuthorizePasswordHeaderName = "Pinniped-Password" //nolint:gosec // this is not a credential + + // AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the name of the desired identity provider. + AuthorizeUpstreamIDPNameParamName = "pinniped_idp_name" + + // AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select + // which identity provider should be used for authentication by sending the type of the desired identity provider. + AuthorizeUpstreamIDPTypeParamName = "pinniped_idp_type" + + // IDTokenClaimIssuer is name of the issuer claim defined by the OIDC spec. + IDTokenClaimIssuer = "iss" + + // IDTokenClaimSubject is name of the subject claim defined by the OIDC spec. + IDTokenClaimSubject = "sub" + + // IDTokenSubClaimIDPNameQueryParam is the name of the query param used in the values of the "sub" claim + // in Supervisor-issued ID tokens to identify with which external identity provider the user authenticated. + IDTokenSubClaimIDPNameQueryParam = "idpName" + + // IDTokenClaimAuthorizedParty is name of the authorized party claim defined by the OIDC spec. + IDTokenClaimAuthorizedParty = "azp" + + // IDTokenClaimUsername is the name of a custom claim in the downstream ID token whose value will contain the user's + // username which was mapped from the upstream identity provider. + IDTokenClaimUsername = "username" + + // IDTokenClaimGroups is the name of a custom claim in the downstream ID token whose value will contain the user's + // group names which were mapped from the upstream identity provider. + IDTokenClaimGroups = "groups" + + // IDTokenClaimAdditionalClaims is the top level claim used to hold additional claims in the downstream ID + // token, if any claims are present. + IDTokenClaimAdditionalClaims = "additionalClaims" + + // GrantTypeAuthorizationCode is the name of the grant type for authorization code flows defined by the OIDC spec. + GrantTypeAuthorizationCode = "authorization_code" + + // GrantTypeRefreshToken is the name of the grant type for refresh flow defined by the OIDC spec. + GrantTypeRefreshToken = "refresh_token" + + // GrantTypeTokenExchange is the name of a custom grant type for RFC8693 token exchanges. + GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint:gosec // this is not a credential + + // ScopeOpenID is name of the openid scope defined by the OIDC spec. + ScopeOpenID = "openid" + + // ScopeOfflineAccess is name of the offline access scope defined by the OIDC spec, used for requesting refresh + // tokens. + ScopeOfflineAccess = "offline_access" + + // ScopeEmail is name of the email scope defined by the OIDC spec. + ScopeEmail = "email" + + // ScopeProfile is name of the profile scope defined by the OIDC spec. + ScopeProfile = "profile" + + // ScopeUsername is the name of a custom scope that determines whether the username claim will be returned inside + // ID tokens. + ScopeUsername = "username" + + // ScopeGroups is the name of a custom scope that determines whether the groups claim will be returned inside + // ID tokens. + ScopeGroups = "groups" + + // ScopeRequestAudience is the name of a custom scope that determines whether a RFC8693 token exchange is allowed to + // be used to request a different audience. + ScopeRequestAudience = "pinniped:request-audience" + + // ClientIDPinnipedCLI is the client ID of the statically defined public OIDC client which is used by the CLI. + ClientIDPinnipedCLI = "pinniped-cli" + + // ClientIDRequiredOIDCClientPrefix is the required prefix for the metadata.name of OIDCClient CRs. + ClientIDRequiredOIDCClientPrefix = "client.oauth.pinniped.dev-" +) diff --git a/generated/1.30/client/go.mod b/generated/1.30/client/go.mod new file mode 100644 index 000000000..8556183f8 --- /dev/null +++ b/generated/1.30/client/go.mod @@ -0,0 +1,13 @@ +// This go.mod file is generated by ./hack/update.sh. +module go.pinniped.dev/generated/1.30/client + +go 1.22.0 + +replace go.pinniped.dev/generated/1.30/apis => ../apis + +require ( + go.pinniped.dev/generated/1.30/apis v0.0.0 + k8s.io/api v0.30.0 + k8s.io/apimachinery v0.30.0 + k8s.io/client-go v0.30.0 +) diff --git a/generated/1.30/client/go.sum b/generated/1.30/client/go.sum new file mode 100644 index 000000000..df6376a65 --- /dev/null +++ b/generated/1.30/client/go.sum @@ -0,0 +1,52 @@ +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= +golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA= +k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE= +k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA= +k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ= +k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY= +k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= +k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= +sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= +sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= diff --git a/hack/lib/kube-versions.txt b/hack/lib/kube-versions.txt index 76689e67b..0d97e7c3d 100644 --- a/hack/lib/kube-versions.txt +++ b/hack/lib/kube-versions.txt @@ -1,9 +1,12 @@ # This file lists the versions of Kubernetes to use for codegen. # They must be listed newest to oldest. -1.29.2 -1.28.7 -1.27.11 -1.26.14 +# New releases are listed at https://kubernetes.io/releases/. +# Older releases are listed at https://kubernetes.io/releases/patch-releases/. +1.30.0 +1.29.4 +1.28.9 +1.27.13 +1.26.15 1.25.16 1.24.17 1.23.17